EMA Research Blog: Navigating IT and Security Horizons

Working in information security for the past 20 years, I have seen a lot. Though there have been many multi-million dollar impact breaches, the recent Sony Pictures hack and subsequent data exposure and extortion is probably the most impactful to a company out of the previous breaches this year.

When I started out in security, only very large organizations with a mature set of business processes dared to talk about implementing some form of governance, risk, and compliance (GRC) or enterprise program (e-GRC). They generally did it in an attempt to get ISO or similar certification, or to “move their programs to the next level,” and some, I think, attempted it just to prove they did it. Many of those efforts were monumental, costing millions of dollars and taking years to complete. However, a significant number seemed to end in compromise, yielding a smaller end result or totally failing after thousands of man hours and millions of dollars for software, systems, and consulting had been spent.

There is no disagreement that the current mag-stripe technology used in the USA and other countries outside of the EU is antiquated and lends itself to fraud. The data is easily copied using various methods from manual card data copying and shoulder surfing, to database compromise and POS terminal malware.  Cards can be reproduced with off-the-shelf plastic blanks and a simple machine you can buy on the Internet.

The Cloud Security Alliance (CSA) is a not-for-profit think tank of volunteers that spend their time trying to better the internet. These people are the antithesis of cybercriminals; they spend their energy trying to figure out ways to make our data safer. They create best practices for providing security assurance within cloud computing, or in this case, they determine how a cloud environment can be used to enhance and scale authentication for a service that can be cloud-based or private data center-based.

This week, Las Vegas hosted some 3500 people at the MGM Grand to mark Splunk .conf14, the annual user gathering for Splunk customers, referred to as “Splunkers”. For those of you not in the tech industry, spelunking, or the act of exploring caves, may come to mind. The theme of the conference was not cave exploration, but data exploration; however, the analogy of cave exploration actually aligns very well. “Splunkers” are diving into their data, delving deep into places that many have never explored before. Each of them finding new and cool ways to use the data that they have been collecting for years, just-in-case they ever needed it.

In skiing, the “black diamond” run or ski slope is often referred to as “high risk/high reward.” You receive lots of “reward” skiing the black diamond slopes, but you have a significant amount of “risk” associated with variable terrain, such as the presence of trees and the possibility of injury. However, the black diamond slopes are very fun to experience, and you can mitigate the risks with preparation, practice, and a really good skiing helmet.

A little over a year ago, I got into a rather animated argument about whether IT could measure its performance by the “value” it delivered rather than by purely measuring “costs.” My dinner companion insisted that IT could now, always, and forever only be measured on costs. I disagreed. In fact I had just planned [...]

Waaay back in the day (say 2002), organizations would ask themselves:

If you are an IT manager, have you ever found yourself stuck in the uncomfortable position of having to choose which jobs are given priority access to essential computing resources? Most likely you have as this is not an uncommon problem. Expecting them to invoke the Wisdom of Solomon, enterprises often bestow the power to decide the workload hierarchy on IT operations. But as most IT managers will tell you, this responsibility is typically more of a curse than a blessing.